Using Okctl with an access key
If you want to use okctl with an access key from AWS instead of okctl's default authentication, follow these steps.
Get an access key¶
Log in to your AWS console ➡ IAM ➡ Users ➡ Pick one ➡ Security credentials ➡ Create access key.
Note down access key ID and secret.
Log in to your cluster¶
# Usage # export AWS_ACCESS_KEY_ID=<your access key id> # export AWS_SECRET_ACCESS_KEY=<your access key secret> # # okctl -a access-key venv --cluster-declaration <cluster declaration # Example export AWS_ACCESS_KEY_ID=someid export AWS_SECRET_ACCESS_KEY=somesecret okctl -a access-key venv --cluster-declaration my-cluster.yaml
Reference: AWS documentation - CLI configure envvars
Get a team member to give you access¶
Someone with access to the okctl cluster must give you access by following the steps below.
Log in to the cluster with
okctl venv as described above.
kubectl edit configmap -n kube-system aws-auth
Add an element to the
mapUsers field, so it looks like this:
apiVersion: v1 data: mapRoles: | ... mapUsers: | - userarn: arn:aws:iam::123456789012:email@example.com username: firstname.lastname@example.org groups: - system:master - userarn: arn:aws:iam::123456789012:email@example.com username: firstname.lastname@example.org groups: - system:master
123456789012with AWS account number
email@example.com the e-mail of the user giving access
firstname.lastname@example.org the e-mail of the user who wants access
There could be more users listed here.
Create a file
mycluster-access-list.yaml with the contents (or edit the file, if you have run this step before):
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: mycluster-access-list namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: email@example.com - apiGroup: rbac.authorization.k8s.io kind: User name: firstname.lastname@example.org
subjects, edit the list so that it contains all the users who shall have access to the cluster. This should be the same list as in
mapUsers mentioned above.
kubectl apply -f mycluster-access-list.yaml
Reference: AWS documentation - Add user role
Now, the user who wants access can verify that things work by running
export AWS_ACCESS_KEY_ID=someid export AWS_SECRET_ACCESS_KEY=somesecret okctl -a access-key venv -c my-cluster.yaml kubectl get pods
This should give no errors - either a list of pods, or just the message
No resources found in default namespace.
That's it. Now you are able to run all okctl commands with the
-a access-key option, which tells okctl to use the provided access key instead of using the default authentication method.